Video Jacking Targets Hotels

Travelers beware: a new form of data harvesting is taking the form of small “video jacking” devices that mimic a USB charging device or hub, but secretly record the video that is discreetly split off from the phone via this crafty device.

As reported by Krebsonsecurity.com, these new video jacking tools are great ways for criminals to record the video of whatever you are doing on your mobile device, tablet, or computer.

It’s a little known fact that most of these devices are capable of duplicating their video output to be shown on a larger screen. These video jacking devices do just that – only the users are unaware that their activities are being watched or recorded off-site. And don’t think that just because your passwords are seen as small “******” characters will protect you – the devices will also record the input into the device, such as keyboard typing (even on smartphones).

In his article, Michael Krebs relayed how the new technology was on display at the DEF CON security conference in Las Vegas.

Video Jacking is an extension of “juice jacking” where an unwitting person plugs their USB device into a USB hub outfitted with technology ready to download all the data on the device. Most devices have now caught up with this technology and will ask users if they “trust” the computer that they are plugging into before it will share any data. Before that update most users were vulnerable to these sorts of threats. As Krebs points out:

“In contrast, video jacking lets the attacker record every key and finger stroke the user makes on the phone, so that the owner of the evil charging station can later replay the videos and see any numbers or keys pressed on the smart phone.”

You might be wondering how this happens. Well, think about it for a moment: when you type into your iPhone, the letters and numbers light up for a moment to show that it registered that keystroke. The video recording will show those exact keystrokes as lighting up in sequence, thus allowing the malicious person recording the events to discern even the PIN of the phone.

Surprising, right? And the total cost to build a rig that would do all this is just under $220, and most parts can be purchased online.

Wondering if you’re at risk? The phones that are most vulnerable to this particular flaw are those that are HDMI ready, mostly Android phones. Here is one list that will get you started to see if your phone is at risk. However, with a little extra finagling, even iPhones are at risk.

So how can you avoid this? Well, the most obvious answer is to always supply your own chargers. Although the risk that you could be vulnerable to one of these devices seems very, very small, it’s good to know that this technology is out there. Also, these could become more popular in the future just like card skimmers are a very real threat to people using ATM machines.